Plug memory leak in weed-expired-certs code.

X509_STORE_add_cert() creates a copy of the certificate we're offering,
so we need to free our copy afterwards.  This isn't documented, but from
observed behaviour in OpenSSL 1.0.2 and its master branch source code.

Change PEM_read_X509() call to reuse cert to avoid free/reallocation
overhead.

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 17ba746ca4a5e69036e5bd51c8e759c57092f006..c63cda5d9a0cfd67948cc40a6a7728f4b20e5da2 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -95,7 +95,7 @@ static int ssl_negotiate (CONNECTION *conn, sslsockdata*);
 static int ssl_load_certificates (SSL_CTX *ctx)
 {
   FILE *fp;
-  X509 *cert;
+  X509 *cert = NULL;
   X509_STORE *store;
   char buf[STRING];
 
@@ -110,18 +110,20 @@ static int ssl_load_certificates (SSL_CTX *ctx)
   if ((fp = fopen (SslCertFile, "rt")) == NULL)
     return 0;
 
-  while ((cert = PEM_read_X509 (fp, NULL, NULL, NULL)) != NULL)
+  while (NULL != PEM_read_X509 (fp, &cert, NULL, NULL))
   {
     if ((X509_cmp_current_time (X509_get_notBefore (cert)) >= 0) ||
         (X509_cmp_current_time (X509_get_notAfter (cert)) <= 0))
     {
       dprint (2, (debugfile, "ssl_load_certificates: filtering expired cert: %s\n",
               X509_NAME_oneline (X509_get_subject_name (cert), buf, sizeof (buf))));
-      X509_free (cert);
     }
     else
+    {
       X509_STORE_add_cert (store, cert);
+    }
   }
+  X509_free (cert);
   safe_fclose (&fp);
 
   return 1;